Avatar of jskfan
jskfanFlag for Cyprus asked on

usage of RestrictDriverInstallationToAdministrators

I am applying GPO for Point and Print as per Microsoft recommendation: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7


The GPO seems to work fine, but I do not understand the meaning of this Registry dword: RestrictDriverInstallationToAdministrators. Do I need to manually add it since the GPO does not add that Registry dword ?

Though I have added it to the Client computer to which I applied the GPO, but I did not see any difference.


Any help will be very much appreciated

Thank you

Active DirectoryWindows OS

Avatar of undefined
Last Comment
jskfan

8/22/2022 - Mon
Robert

It looks to me like that overrides the point and print GPO to only allow admins to install drivers. It is basically a workaround to secure the system against the printnightmare. 
ASKER
jskfan

But I logged in to the client computer as regular domain user and was able to use UNC path  to print server and install the printer.
Robert

You created the key on the client:  RestrictDriverInstallationToAdministrators  and set the value to 1.
I dont know if it would require a reboot after you created the key to restrict.
However as long as that key is set to 1 it should require admin rights to install a driver.
 

Your help has saved me hundreds of hours of internet surfing.
fblack61
Robert

Also just to confirm the user is not in the local admin group on the PC correct?
ASKER
jskfan

You created the key on the client:  RestrictDriverInstallationToAdministrators  and set the value to 1.
Correct.
I also rebooted the client.

I looked and User1 is not local admin
1.JPG
ASKER CERTIFIED SOLUTION
Hello There

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
jskfan

I guess the reason was I used window 2016 server as client.
Now I am using windows 10

I am not using this dword string anymore: RestrictDriverInstallationToAdministrators

I have set up the GPO as shown below:
1.JPG
Now when Regular user  connects to the Print server and select a printer it will prompt him to Install Driver , he selects that and it starts copying files, however it will prompt him to enter administrator credentials when it is done copying files. The purpose of this GPO is to prevent that, as Print Server name to which regular user is connecting to  is listed on the GPO.
========

by the way the GPO when it is applied to the  computer, it will create the Dword strings shown below:
1.JPG
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
jskfan

Well, Testing always help.
I realized the GPO above , all it does is limiting regular users to which print servers they can connect /install drivers.
Though in the GPO I selected "do not show warning or elevated prompt" , but I keep seeing the UAC prompt popping up
1.JPG
So, without this dword string : RestrictDriverInstallationToAdministrators = 0 on the client registry in addition to the GPO,  the regular user will always gets the UAC prompt to enter elevated credentials.